| عنوان | WAYOS FBM220G and others 24.10.19 Command Injection |
|---|
| الوصف | A command injection vulnerability exists in WAYOS FBM220G and other related models running firmware version FBM_220G-24.10.19V-vue-aiv3.trx. The vulnerability is located in the `sub_40F820` function within the `rc` binary. When processing configuration items such as `upnp_waniface`, `upnp_ssdp_interval`, and `upnp_max_age`, the program retrieves their values using `nvram_get` without proper sanitization. These values are then concatenated into a shell command string via `snprintf` and executed through `jhl_system`. An attacker who can tamper with the relevant configuration parameters may inject arbitrary commands, potentially leading to remote code execution and full device compromise.
|
|---|
| المصدر | ⚠️ https://github.com/glkfc/IoT-Vulnerability/blob/main/wayos/wayos.md |
|---|
| المستخدم | jfkk (UID 79868) |
|---|
| ارسال | 31/01/2026 03:36 PM (3 أشهر منذ) |
|---|
| الاعتدال | 15/02/2026 05:04 PM (15 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 346157 [WAYOS FBM-220G 24.10.19 rc sub_40F820 upnp_waniface/upnp_ssdp_interval/upnp_max_age تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|